The present invention relates generally to a system for restricting access to transmitted programming content, and more particularly, to a system for transmitting an encrypted program together with a program identifier which is used by a set-top terminal, together with stored entitlement information, to derive the decryption key necessary to decrypt the program.
As the number of channels available to television viewers has increased, along with the diversity of the programming content available on such channels, it has become increasingly challenging for service providers, such as cable television operators and digital satellite service operators, to offer packages of channels and programs that satisfy the majority of the television viewing population. The development of packages that may be offered to customers is generally a marketing function. Generally, a service provider desires to offer packages of various sizes, from a single program to all the programs, and various combinations in between.
The service provider typically broadcasts the television programs from a transmitter, often referred to as the xe2x80x9chead-end,xe2x80x9d to a large population of customers. Each customer is typically entitled only to a subset of the received programming, associated with purchased packages. In a wireless broadcast environment, for example, the transmitted programming can be received by anyone with an appropriate receiver, such as an antenna or a satellite dish. Thus, in order to restrict access to a transmitted program to authorized customers who have purchased the required package, the service provider typically encrypts the transmitted programs and provides the customer with a set-top terminal (STT) containing one or more decryption keys which may be utilized to decrypt programs that a customer is entitled to. In this manner, the set-top terminal receives encrypted transmissions and decrypts the programs that the customer is entitled to, but nothing else.
In order to minimize piracy of the highly sensitive information stored in the set-top terminals, including the stored decryption keys, the set-top terminals typically contain a secure processor and secure memory, typically having a capacity on the order of a few kilobits, to store the decryption keys. The secure memory is generally non-volatile, and tamper-resistant. In addition, the secure memory is preferably writable, so that the keys may be reprogrammed as desired, for example, for each billing period. The limited secure memory capacity of conventional set-top terminals limits the number of keys that may be stored and thereby limits the number of packages which may be offered by a service provider. It is noted that the number of programs typically broadcast by a service provider during a monthly billing period can be on the order of 200,000.
In one variation, conventional set-top terminals contain a bit vector having a bit entry corresponding to each package of programs offered by the service provider. Typically, each package corresponds to one television channel. If a particular customer is entitled to a package, the corresponding bit entry in the bit vector stored in the set-top terminal is set to one (xe2x80x9c1xe2x80x9d). Thereafter, all programs transmitted by the service provider are encrypted with a single key. Upon receipt of a given program, the set-top terminal accesses the bit vector to determine if the corresponding bit entry has been set. If the bit entry has been set, the set-top terminal utilizes a single stored decryption key to decrypt the program.
While, in theory, flexibility is achieved in the bit vector scheme by providing a bit entry for each program, the length of the bit vector would be impractical in a system transmitting many programs in a single billing period. In addition, access control in such a system is provided exclusively by the entries in the bit vector and is not cryptographic. Thus, if a customer is able to overwrite the bit vector, and set all bits to one (xe2x80x9c1xe2x80x9d), then the customer obtains access to all programs.
In a further variation, programs are divided into packages, and all programs in a given package are encrypted using the same key. Again, each package typically corresponds to one television channel. The set-top terminal stores a decryption key for each package the customer is entitled to. Thus, if a program is to be included in a plurality of packages, then the program must be retransmitted for each associated package, with each transmission encrypted with the encryption key corresponding to the particular package. Although the access control is cryptographic, the overhead associated with retransmitting a given program a number of times discourages service providers from placing the same program in a number of packages and thereby limits flexibility in designing packages of programs.
While such previous systems for encrypting and transmitting programming content have been relatively successful in restricting access to authorized customers, they do not permit a service provider, such as a television network, to offer many different packages containing various numbers of programs to customers, without exceeding the limited secure memory capacity of the set-top terminal or significantly increasing the overhead. As apparent from the above-described deficiencies with conventional systems for transmitting encrypted programming content, a need exists for a system for transmitting a program encrypted with a key, together with a program identifier used by a set-top terminal, together with stored entitlement information, to derive the decryption key necessary to decrypt the program. A further need exists for a system that permits a service provider to include a program in a plurality of packages, without requiring the service provider to retransmit the program for each package. Yet another need exists for an access control system that overcomes the secure memory limitations of the set-top terminal without significantly increasing the overhead associated with the transmitted programming content.
Generally, encrypted programming content is transmitted by a service provider using a transmitter, or head-end server, to one or more customers. According to one aspect of the invention, a program identifier, p, used to identify the program is transmitted to the customer with the programming content. Each customer preferably has a set-top terminal or another mechanism to restrict access to the transmitted multimedia information using decryption keys. The set-top terminal preferably receives entitlement information periodically from the head-end, corresponding to one or more packages of programs that the customer is entitled to for a given period.
Each program is preferably encrypted by the head-end server prior to transmission, using a program key, Kp, which may be unique to the program. In addition to transmitting the encrypted program, the head-end server preferably transmits the program identifier, p, to the set-top terminal. The set-top terminal uses the received program identifier, p, together with the stored entitlement information, to derive the decryption key necessary to decrypt the program. In this manner, if a customer is entitled to a particular program, the set-top terminal will be able to derive the encrypted program key, Kp, using the stored and received information, and thereafter use the program key, Kp, to decrypt the encrypted program. In various embodiments, the program identifier, p, can be interleaved with the program portion or transmitted on a separate dedicated control channel.
According to another aspect of the invention, each of the k-bit program keys, Kp, used to encrypt transmitted programs is a linear combination of a defined set of k-bit master keys, m1 . . . mn, with each master key, mi, preferably stored by the head-end server in a column of a k x n matrix, M The bit-length, k, of the program keys, Kp, must be greater than the bit-length, n, of the program identifier, p. The program identifier, p, serves as a program key-mask by dictating which keys in the master key matrix, M, are utilized in generating the program keys, Kp. The head-end server preferably generates a new set of master keys for the matrix, M, once per billing period. In one embodiment, the master key matrix, M, may be randomly generated, provided that the master keys, mi, are linearly independent so that a generated program key, Kp, cannot unexpectedly be zero.
A customer purchases one or more desired packages, which together contain r programs. Since each program key, Kp, used to encrypt the programs is a linear combination of the set of master keys, M, once the customer obtains the program key, Kp, to each of the entitled r programs, then the customer may also easily derive the program keys, Kp, to 2r programs. Thus, according to a further aspect of the invention, a customer desiring r programs, actually obtains access to the smallest linear subspace of programs, U, that contains those r programs. The programs are preferably organized in a manner that allows programs with related content to fit into a low dimensional linear subspace. In addition, since each program key, Kp, is a linear combination of the master keys, M, a given package cannot have an arbitrary number of programs. Specifically, a package consists of (2ixe2x88x921) program identifiers, for some value of i which is less than or equal to n, which need not all be assigned to programs.
The set-top terminal needs to decrypt any program, p, that belongs to the customer""s entitled subspace, U, but no other programs. The subspace, U, can be represented by a basis matrix, B. In order to decrypt the subspace, U, of programs, each identified by a program identifier, p, the set-top terminal needs a corresponding subset of the master keys, derived from the master key matrix, M. Thus, the set-top terminal includes a customer key matrix, K, containing the derived portion of the master keys to which the customer is entitled. In addition, the entitlement information stored by the set-top terminal includes a set of active row indices, i1 . . . ir, used by the head-end server to create a regular matrix, Bxe2x80x2, from the basis matrix, B, and an inverse of the regular basis matrix, (Bxe2x80x2)xe2x88x921.
In one preferred embodiment, the set-top terminal also stores a check matrix, C, as part of the entitlement information to allow the set-top terminal to determine, in advance, whether a received program is in the entitled subspace, U, without going through the entire decryption procedure. In this manner, the set-top terminal can definitively distinguish between programs that fail to be decrypted due to transmission errors and those that fail to be decrypted because they are not a member of the subspace, U.
A more complete understanding of the present invention, as well as further features and advantages of the present invention, will be obtained by reference to the following detailed description and drawings.